OracleVM 2.2 : xen (OVMSA-2016-0012)

High Nessus Plugin ID 88737


The remote OracleVM host is missing one or more security updates.


The remote OracleVM system is missing necessary patches to address critical security updates :

- XSA-125: Limit XEN_DOMCTL_memory_mapping hypercall to only process up to 64 GFNs (or less) (Jan Beulich) [20732412] (CVE-2015-2752)

- XSA-126: xen: limit guest control of PCI command register (Jan Beulich) [20739399] (CVE-2015-2756)

- XSA-128: xen: properly gate host writes of modified PCI CFG contents (Jan Beulich) [21157440] (CVE-2015-4103)

- XSA-129: xen: don't allow guest to control MSI mask register (Jan Beulich) [21158692] (CVE-2015-4104)

- XSA-130: xen/MSI-X: disable logging by default (Jan Beulich) [21159408] (CVE-2015-4105)

- XSA-131: [PATCH 1/8] xen/MSI: don't open-code pass-through of enable bit modifications (Jan Beulich) [21164529] (CVE-2015-4106)

- XSA-131: [PATCH 2/8] xen/pt: consolidate PM capability emu_mask [21164529] (CVE-2015-4106)

- XSA-131: [PATCH 3/8] xen/pt: correctly handle PM status bit [21164529] (CVE-2015-4106)

- XSA-131: [PATCH 4/8] xen/pt: split out calculation of throughable mask in PCI config space handling [21164529] (CVE-2015-4106)

- XSA-131: [PATCH 5/8] xen/pt: mark all PCIe capability bits read-only [21164529] (CVE-2015-4106)

- XSA-131: [PATCH 6/8] xen/pt: mark reserved bits in PCI config space fields [21164529] (CVE-2015-4106)

- XSA-131: [PATCH 7/8] xen/pt: add a few PCI config space field descriptions [21164529] (CVE-2015-4106)

- XSA-131: [PATCH 8/8] xen/pt: unknown PCI config space fields should be read-only [21164529] (CVE-2015-4106)


Update the affected packages.

See Also

Plugin Details

Severity: High

ID: 88737

File Name: oraclevm_OVMSA-2016-0012.nasl

Version: 2.4

Type: local

Published: 2016/02/15

Updated: 2019/09/27

Dependencies: 12634

Risk Information

Risk Factor: High

CVSS v2.0

Base Score: 7.8

Temporal Score: 5.8

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C

Temporal Vector: CVSS2#E:U/RL:OF/RC:C

Vulnerability Information

CPE: p-cpe:/a:oracle:vm:xen, p-cpe:/a:oracle:vm:xen-64, p-cpe:/a:oracle:vm:xen-debugger, p-cpe:/a:oracle:vm:xen-devel, p-cpe:/a:oracle:vm:xen-pvhvm-devel, p-cpe:/a:oracle:vm:xen-tools, cpe:/o:oracle:vm_server:2.2

Required KB Items: Host/local_checks_enabled, Host/OracleVM/release, Host/OracleVM/rpm-list

Exploit Available: false

Exploit Ease: No known exploits are available

Patch Publication Date: 2016/02/12

Vulnerability Publication Date: 2015/04/01

Reference Information

CVE: CVE-2015-2752, CVE-2015-2756, CVE-2015-4103, CVE-2015-4104, CVE-2015-4105, CVE-2015-4106

BID: 72577, 73448, 74947, 74948, 74949, 74950